Addressing threats to health care's core values, especially those stemming from concentration and abuse of power. Advocating for accountability, integrity, transparency, honesty and ethics in leadership and governance of health care.

Monday, December 09, 2013

But Don't Worry, Your Health Information is Secure: the Enforcers are Themselves Incompetent and Broke

The Office of the Inspector
General for HHS just issued a report finding that the Office of Civil
Rights (OCR), which is charged with enforcing the HIPAA/HITECH law, had
itself failed to adequately protect the security
of the health information it handled. Specifically OIG found that OCR
“focused on system operability to the detriment of system and data
security.”

The Office for Civil Rights (OCR) did not meet certain Federal
requirements critical to the oversight and enforcement of the Health
Insurance Portability and Accountability Act Security Rule (Security
Rule). OCR had not assessed risks, established priorities, or
implemented controls for its Federal requirements to provide for
periodic audits of covered entities to ensure their compliance with
Security Rule requirements. In addition, OCR's Security Rule
investigation files did not contain required documentation supporting
key decisions made because management had not implemented sufficient
controls, including supervisory review and documentation retention, to
ensure investigators follow investigation policies and procedures for
properly initiating, processing, and closing Security Rule
investigations. Further, OCR had not fully complied with Federal
cybersecurity requirements for its information systems used to process
and store investigation data because it focused on system operability [I presume they mean 'interoperability' - ed.] to
the detriment of system and data security.

We recommended that OCR (1) assess the risks, establish priorities,
and implement controls for its HITECH auditing requirements; (2) provide
for periodic audits in accordance with HITECH to ensure Security Rule
compliance at covered entities; (3) implement sufficient controls, such
as supervisory reviews and documentation retention, to ensure policies
and procedures for Security Rule investigations are followed; and (4)
implement the National Institute of Standards and Technology Risk
Management Framework for systems used to oversee and enforce the
Security Rule. In its comments on our draft report, OCR generally
concurred with our recommendations and described the actions it has
taken to address them. In specific comments on our second
recommendation, however, OCR explained that no funds had been
appropriated for it to maintain a permanent audit program and that funds
used to support audit activities previously conducted were no longer
available.

The enforcers are themselves negligent, incompetent and broke. And hospitals are expected to keep electronic protected health information secure?

A Toronto woman is shocked after she was denied entry into the U.S. because she had been hospitalized for clinical depression.

Ellen Richardson went to Pearson airport on Monday full of joy about flying to New York City and from there going on a 10-day Caribbean cruise for which she’d paid about $6,000.

But a U.S. Customs and Border Protection agent with the Department of Homeland Security killed that dream when he denied her entry.

“I was turned away, I was told, because I had a hospitalization in the summer of 2012 for clinical depression,’’ said Richardson, who is a paraplegic and set up her cruise in collaboration with a March of Dimes group of about 12 others.

The Weston woman was told by the U.S. agent she would have to get “medical clearance’’ and be examined by one of only three doctors in Toronto whose assessments are accepted by Homeland Security. She was given their names and told a call to her psychiatrist “would not suffice.’’

At the time, Richardson said, she was so shocked and devastated by what was going on, she wasn’t thinking about how U.S. authorities could access her supposedly private medical information.

“I was so aghast. I was saying, ‘I don’t understand this. What is the problem?’ I was so looking forward to getting away . . . I’d even brought a little string of Christmas lights I was going to string up in the cabin. . . . It’s not like I can just book again right away,’’ she said, referring to the time and planning that goes into taking a trip as a disabled person.

Richardson said she’d had no discussion whatsoever with the agent at the airport about her medical history or background.

2 comments:

I'm starting to wonder if HIPAA is actually a revenue raising method. Perhaps this funding will allow the OCR to recover? Yes, some of the offenses and fines have been warranted (willful negligence and so forth) but some organizations have also done everything reasonably possible and still have had issues. The complexity of systems and workflows required to comply can be staggering for some. I have also seen where others have gone overboard and have isolated (protected) themselves to the extent that patient care is at risk.... But they are HIPAA Compliant.

Contributors

Contact Us

Email: info at firmfound dot org
or go to the web-site for FIRM - the Foundation for Integrity and Responsibility in Medicine

More About FIRM and Health Care Renewal

FIRM - the Foundation for Integrity and Responsibility in Medicine is a 501(c)3 that researches problems with leadership and governance in health care that threaten core values, and disseminates our findings to physicians, health care researchers and policy-makers, and the public at large. FIRM advocates representative, transparent, accountable and ethical health care governance, and hopes to empower health care professionals and patients to promote better health care leadership.

FIRM depends on contributions from individuals and non-profit organizations. FIRM does not accept any direct support from for-profit health care corporations.

FIRM welcomes support from individuals and non-profit organizations. If you are interested in donating to FIRM, please email info at firmfound dot org, snail mail us at 16 Cutler St, Suite 104, Warren, RI, 02885, USA, or see our web-site.

Upcoming Meetings and Events

Subscribe To Health Care Renewal

Policies: Blog Roll and Comments

Our blogroll is meant to include blogs that provide interesting content relevant to what we write. It is not an endorsement in any way of any specific blog.

We accept comments, especially from registered Blogger users. If you do not wish to register with Blogger, we will accept anonymous comments, although prefer that they contain identification of the commenter.

We encourage thoughtful comments relevant to the issues brought up by the posts on Health Care Renewal.

All comments are moderated. We will reject spam, profanity, advertising of products or services not directly related to the content of this blog.

We will reject any unsubstantiated accusations or allegations.

Nonetheless, all comments represent only the opinions of those making them. The appearance of comments does not imply endorsement by the Health Care Renewal bloggers.

Please email general comments about the blog, other concerns, or questions to info AT firmfound DOT org